 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mgostIH
Expert Cheater
 Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
 Posted: Mon Feb 22, 2016 2:40 pm Post subject: Is PEB hiding as good as manual mapping? |
 |
|
So, I was having this little thought about making an injector that would hide the dll by modifying the PEB.
Consider going against a good anticheat (Without modifying it) that runs in usermode, would PEB hiding be capable of dealing with this AC that runs signature scanning on its modules, hooks basic kernel mode APIs, runs multiple code integrity checks and is full of anti-debugging tricks?
Manual mapping let us allocate some memory (usually a DLL) without needing to deal with APIs of the process (maybe only CreateThread), so this is very safe and hard to check against, but hard to implement and pretty unstable.
On the other hand, a good PEBh injector could copy the whole unhooked kernel32 module on the target process, and use the generated API to do the whole allocation, without having any trouble to be hooked.
Now, as soon as the DLLs load, the injector (or the DLL itself) unloads it from the PEB, leaving the target process unable to detect it, as the PEB is a dynamic structure that cannot be sig. scanned.
Now the question:
Is PEB Hiding good enough to stand against manual mapping, or shouldn't we trust it?
I'd be glad to see your answers!
_________________
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25838
Location: The netherlands
|
| Posted: Mon Feb 22, 2016 2:48 pm Post subject: |
|
|
use it as long as it works, but also develop ways that will work when PEB hiding doesn't
(Don't show them all your cards from the start)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Feb 22, 2016 3:01 pm Post subject: |
|
|
| Dark Byte wrote: | use it as long as it works, but also develop ways that will work when PEB hiding doesn't
(Don't show them all your cards from the start) |
Fair enough.
Anyway, I don't know a lot of ways to "hide" my code in usermode.
I can make it more complex, encrypt my functions used, add polymorphism to my programs and all, but when it comes to hiding from "absolute" anticheats, I just can't.
I might start with developing kernel drivers to hook win API used to detect hacks, but they are very hard to distribute, and I don't feel like going into it for now.
Any suggestions on other usermode tricks?
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25838
Location: The netherlands
|
| Posted: Mon Feb 22, 2016 4:39 pm Post subject: |
|
|
there's exception hooking you could play with and change the access protection of specific pages and capture the access violations and do stuff with that.
but yeah, subsequent levels will require kernelmode, and possibly even hypervisor mode
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Feb 22, 2016 8:45 pm Post subject: |
|
|
This idea is not something new and most anti-cheats will detect what you are doing. You are going to have a delay in injecting and hiding your information which more popular anti-cheats are going to detect.
Manual mapping is a much better method of avoiding detection over this.
_________________
- Retired. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Tue Feb 23, 2016 8:36 am Post subject: |
|
|
| atom0s wrote: | This idea is not something new and most anti-cheats will detect what you are doing. You are going to have a delay in injecting and hiding your information which more popular anti-cheats are going to detect.
Manual mapping is a much better method of avoiding detection over this. |
So basically the only way to detect the DLL hided with PEB modification is to detect it on the delay it's loading? So, shouldn't linking it with user32.dll work as an injecting method?
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Feb 23, 2016 3:17 pm Post subject: |
|
|
| mgostIH wrote: | | atom0s wrote: | This idea is not something new and most anti-cheats will detect what you are doing. You are going to have a delay in injecting and hiding your information which more popular anti-cheats are going to detect.
Manual mapping is a much better method of avoiding detection over this. |
So basically the only way to detect the DLL hided with PEB modification is to detect it on the delay it's loading? So, shouldn't linking it with user32.dll work as an injecting method? |
You can detect it by other means, the delay was just one example. PEB hiding is not that clean at hiding something and the API / memory edits that you have to do are easily detected. On crappy anti-cheats it will be enough and work fine, but on more effective anti-cheats they'll still detect your stuff without a problem.
_________________
- Retired. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Tue Feb 23, 2016 4:04 pm Post subject: |
|
|
| atom0s wrote: | | mgostIH wrote: | | atom0s wrote: | This idea is not something new and most anti-cheats will detect what you are doing. You are going to have a delay in injecting and hiding your information which more popular anti-cheats are going to detect.
Manual mapping is a much better method of avoiding detection over this. |
So basically the only way to detect the DLL hided with PEB modification is to detect it on the delay it's loading? So, shouldn't linking it with user32.dll work as an injecting method? |
You can detect it by other means, the delay was just one example. PEB hiding is not that clean at hiding something and the API / memory edits that you have to do are easily detected. On crappy anti-cheats it will be enough and work fine, but on more effective anti-cheats they'll still detect your stuff without a problem. |
Yeah, I saw a thread about GetMappedFileName() bypassing the PEB, but are there other APIs that do not care about PEB at all?
If so, are there examples of them being used practically?
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Feb 23, 2016 6:07 pm Post subject: |
|
|
API is not the only way to walk the TEB/PEB. The anti-cheat can manually walk it via inline ASM.
Get Current TEB
| Code: |
xor eax,eax
mov eax, fs:[0x18]
...
EAX now holds the TEB pointer. (PEB pointer is within this structure.)
|
Get Current PEB
| Code: |
xor eax,eax
mov eax, fs:[0x30]
...
EAX now holds the PEB pointer.
|
Some things that the anti-cheat can be doing to detect you:
- Monitor the TEB/PEB information for changes.
- Monitor the load order module list for alterations.
- Monitor memory allocations for unknown modules / unknown allocations. (This is pretty common in anti-cheats that use memory allocation management to monitor for foreign allocations.)
There are things to consider when you do hooks and such to prevent detection as well. The anti-cheat may not use current-loaded address information when doing checks. They can load the system module from disk manually and ensure that no data was altered looking for patches in the runtime data. (Basically like memory CRC checks, hook checks for the first ~20 bytes of a function for detours, etc.)
An anti-cheat that relies on Win32 API can be completely bypassed with basic hooks if it does not ensure the APIs are not tampered with, while others will ensure there are no alterations made. Some will only check the prologue of the API function checking for basic detours or patches, while others will check for mid-function hooks as well.
The other thing to keep in mind is how thorough the anti-cheat is. Is it a simple user-mode anti-cheat that relies on Win32 API and basic inline ASM? Or is it a kernel mode anti-cheat that uses a driver to do the major work. You can take a look at Cheat Engines driver to get some more information on how to go about editing memory and such from the kernel level, as well as the helpful anti-detection stuff it includes.
Also the stealth edit plugin may be of use for what you are messing with.
_________________
- Retired. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Wed Feb 24, 2016 12:54 pm Post subject: |
|
|
| atom0s wrote: | API is not the only way to walk the TEB/PEB. The anti-cheat can manually walk it via inline ASM.
Get Current TEB
| Code: |
xor eax,eax
mov eax, fs:[0x18]
...
EAX now holds the TEB pointer. (PEB pointer is within this structure.)
|
Get Current PEB
| Code: |
xor eax,eax
mov eax, fs:[0x30]
...
EAX now holds the PEB pointer.
|
Some things that the anti-cheat can be doing to detect you:
- Monitor the TEB/PEB information for changes.
- Monitor the load order module list for alterations.
- Monitor memory allocations for unknown modules / unknown allocations. (This is pretty common in anti-cheats that use memory allocation management to monitor for foreign allocations.)
There are things to consider when you do hooks and such to prevent detection as well. The anti-cheat may not use current-loaded address information when doing checks. They can load the system module from disk manually and ensure that no data was altered looking for patches in the runtime data. (Basically like memory CRC checks, hook checks for the first ~20 bytes of a function for detours, etc.)
An anti-cheat that relies on Win32 API can be completely bypassed with basic hooks if it does not ensure the APIs are not tampered with, while others will ensure there are no alterations made. Some will only check the prologue of the API function checking for basic detours or patches, while others will check for mid-function hooks as well.
The other thing to keep in mind is how thorough the anti-cheat is. Is it a simple user-mode anti-cheat that relies on Win32 API and basic inline ASM? Or is it a kernel mode anti-cheat that uses a driver to do the major work. You can take a look at Cheat Engines driver to get some more information on how to go about editing memory and such from the kernel level, as well as the helpful anti-detection stuff it includes.
Also the stealth edit plugin may be of use for what you are messing with. |
For me it seems pretty unpractical for an anticheat to "detect" PEB-TEB changes, as both are dynamic structures that change not only during the program running, but on every startup or environmental change (for example, Fraps itself needs to inject a DLL, and an anticheat banning you for recording would be dumb.)
So, I don't see how PEB hiding would be worse than manual mapping when it comes to usermode only ACs.
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Feb 26, 2016 12:27 pm Post subject: |
|
|
| mgostIH wrote: | For me it seems pretty unpractical for an anticheat to "detect" PEB-TEB changes, as both are dynamic structures that change not only during the program running, but on every startup or environmental change (for example, Fraps itself needs to inject a DLL, and an anticheat banning you for recording would be dumb.)
So, I don't see how PEB hiding would be worse than manual mapping when it comes to usermode only ACs. |
Trial and error then to see if the anti-cheat detects either method. Depending on how often the anti-cheat is updated would reflect how thorough I'd handle things. Does the anti-cheat get updated frequently? You have a potential that one day it could be more excessive than simple user mode things. At that point one day your cheat could be undetected, then the next you could be banned.
More or less up to you how to go about implementing your bypass though. Personally I wouldn't do PEB hiding if bypassing an anti-cheat is the purpose. Too risky to be detected.
_________________
- Retired. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Fri Feb 26, 2016 12:47 pm Post subject: |
|
|
| atom0s wrote: | | mgostIH wrote: | For me it seems pretty unpractical for an anticheat to "detect" PEB-TEB changes, as both are dynamic structures that change not only during the program running, but on every startup or environmental change (for example, Fraps itself needs to inject a DLL, and an anticheat banning you for recording would be dumb.)
So, I don't see how PEB hiding would be worse than manual mapping when it comes to usermode only ACs. |
Trial and error then to see if the anti-cheat detects either method. Depending on how often the anti-cheat is updated would reflect how thorough I'd handle things. Does the anti-cheat get updated frequently? You have a potential that one day it could be more excessive than simple user mode things. At that point one day your cheat could be undetected, then the next you could be banned.
More or less up to you how to go about implementing your bypass though. Personally I wouldn't do PEB hiding if bypassing an anti-cheat is the purpose. Too risky to be detected. |
Well, I was referring to a generic anticheat, I am not testing stuff with something that really exist.
Anyway, assuming I make a private hack to distribute or keep for myself, I doubt i'd let it work when it detects a change on the game code(or simply when I see the game downloading new AC content).
So I'd have the time to test it out on alternative accounts.
Thank you so much for the responses, it's really nice to talk with someone that understands what I am talking about.
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Feb 26, 2016 12:56 pm Post subject: |
|
|
| mgostIH wrote: | | atom0s wrote: | | mgostIH wrote: | For me it seems pretty unpractical for an anticheat to "detect" PEB-TEB changes, as both are dynamic structures that change not only during the program running, but on every startup or environmental change (for example, Fraps itself needs to inject a DLL, and an anticheat banning you for recording would be dumb.)
So, I don't see how PEB hiding would be worse than manual mapping when it comes to usermode only ACs. |
Trial and error then to see if the anti-cheat detects either method. Depending on how often the anti-cheat is updated would reflect how thorough I'd handle things. Does the anti-cheat get updated frequently? You have a potential that one day it could be more excessive than simple user mode things. At that point one day your cheat could be undetected, then the next you could be banned.
More or less up to you how to go about implementing your bypass though. Personally I wouldn't do PEB hiding if bypassing an anti-cheat is the purpose. Too risky to be detected. |
Well, I was referring to a generic anticheat, I am not testing stuff with something that really exist.
Anyway, assuming I make a private hack to distribute or keep for myself, I doubt i'd let it work when it detects a change on the game code(or simply when I see the game downloading new AC content).
So I'd have the time to test it out on alternative accounts.
Thank you so much for the responses, it's really nice to talk with someone that understands what I am talking about. |
Is there a specific anti-cheat you are working with? Stuff like VAC has delayed bans which could detect your cheat and not ban you for up to two months later. They use it as a method to prevent cheat makers knowing which code got detected etc.
Keeping your cheat private is the best method to prevent detection as well. Don't give it out to anyone.
Also avoid using public code. In most cases that code is or will be detected at some point in time.
_________________
- Retired. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Fri Feb 26, 2016 2:49 pm Post subject: |
|
|
| atom0s wrote: | | mgostIH wrote: | | atom0s wrote: | | mgostIH wrote: | For me it seems pretty unpractical for an anticheat to "detect" PEB-TEB changes, as both are dynamic structures that change not only during the program running, but on every startup or environmental change (for example, Fraps itself needs to inject a DLL, and an anticheat banning you for recording would be dumb.)
So, I don't see how PEB hiding would be worse than manual mapping when it comes to usermode only ACs. |
Trial and error then to see if the anti-cheat detects either method. Depending on how often the anti-cheat is updated would reflect how thorough I'd handle things. Does the anti-cheat get updated frequently? You have a potential that one day it could be more excessive than simple user mode things. At that point one day your cheat could be undetected, then the next you could be banned.
More or less up to you how to go about implementing your bypass though. Personally I wouldn't do PEB hiding if bypassing an anti-cheat is the purpose. Too risky to be detected. |
Well, I was referring to a generic anticheat, I am not testing stuff with something that really exist.
Anyway, assuming I make a private hack to distribute or keep for myself, I doubt i'd let it work when it detects a change on the game code(or simply when I see the game downloading new AC content).
So I'd have the time to test it out on alternative accounts.
Thank you so much for the responses, it's really nice to talk with someone that understands what I am talking about. |
Is there a specific anti-cheat you are working with? Stuff like VAC has delayed bans which could detect your cheat and not ban you for up to two months later. They use it as a method to prevent cheat makers knowing which code got detected etc.
Keeping your cheat private is the best method to prevent detection as well. Don't give it out to anyone.
Also avoid using public code. In most cases that code is or will be detected at some point in time. |
Yeah, I studied VAC for a long time, but I don't like making hacks for FPS games, there's not really so much to invent.
Also, I create hacks for the knowledge I can get by making them, the last thing I would do is copying someone else work just to see something work.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
